Overview

overview

10

Static

static

f335a52b0a...a4.exe

windows7-x64

10

f335a52b0a...a4.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    153s
  • max time network
    44s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    05/12/2022, 16:06

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    f335a52b0ac796e4d8cfd3dd3271efeb27acf63f3eb89f36b06fd8bfadf554a4.exe

  • Size

    2.4MB

  • MD5

    a33ad34a69704593a9f32632ce27386c

  • SHA1

    ba00748c45036d821d3030ec24c88d6a28480aac

  • SHA256

    f335a52b0ac796e4d8cfd3dd3271efeb27acf63f3eb89f36b06fd8bfadf554a4

  • SHA512

    9e6b322e4955895fbee2b97ca49da6bdc2c06b41cf9815660fb86385c4bf93c275161ea4a4865ad2790efe9a4a0cfaca16f60ac5b4e8c2cd5a6fa93fa435503e

  • SSDEEP

    49152:quqqYqqhRRwZ6MeGnVsyWxwChYAgsMMMMMM9ncdQsLp25wwyje/5IqNTYlMbv/es:+qfq7RwZPdKylAMMMMMM9ncGr/59Ylpm

Score
10/10
evasionpersistence

Malware Config

Signatures

  • Modifies firewall policy service 2 TTPs 2 IoCs
    evasion
  • Adds policy Run key to start application 2 TTPs 4 IoCs
    persistence
  • Executes dropped EXE 2 IoCs
  • Sets service image path in registry 2 TTPs 1 IoCs
    persistence
  • Adds Run key to start application 2 TTPs 6 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 22 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 1 IoCs
  • Drops file in Windows directory 24 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry class 3 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f335a52b0ac796e4d8cfd3dd3271efeb27acf63f3eb89f36b06fd8bfadf554a4.exe
    "C:\Users\Admin\AppData\Local\Temp\f335a52b0ac796e4d8cfd3dd3271efeb27acf63f3eb89f36b06fd8bfadf554a4.exe"
    1⤵
    • Drops file in Windows directory
    • Suspicious use of WriteProcessMemory
    PID:1476
    • C:\Windows\servicew.exe
      "C:\Windows\servicew.exe"
      2⤵
      • Modifies firewall policy service
      • Adds policy Run key to start application
      • Executes dropped EXE
      • Sets service image path in registry
      • Adds Run key to start application
      • Enumerates connected drives
      • Drops file in System32 directory
      • Drops file in Windows directory
      • Modifies registry class
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      PID:1480
    • C:\Windows\smart_scan.exe
      "C:\Windows\smart_scan.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      PID:1164

Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Windows\iecomn.dll
          Filesize

          453KB

          MD5

          2a753dd7983a26af0bda3b3e83478105

          SHA1

          1a12ae754485f05ef33bc3fb8a845a1270cf742a

          SHA256

          3f62b24b68ac0494fd28633e25093e8e3260e1c074cb115047391e8dcaff757b

          SHA512

          6ce9f9e0720dfa83d1fd6ad2006e7f9b717ed2eb1169871259f803bd5fea4e652cbad3267b23f8b752963f21da52b62f1e579e00abd598ff9de90dff584453f2

          Download Submit

        • C:\Windows\servicew.exe
          Filesize

          457KB

          MD5

          b4206c00b0fbb78c29a8d0eecd6648b7

          SHA1

          76f5ca420f2b7ab962d07a32356bbcc73c12e74b

          SHA256

          e17b542bb4cd32713c020a3721382b761d01e5424845341d20e28e11c6d72884

          SHA512

          8bcaa99e8685541ae68ebe5b5860ff6d4fce7fff57f0b23a0dd979482e2bd32374a50b63a906aa2ef133af7edb45f21235fd163e7ac733e318f5064024285649

          Download Submit

        • C:\Windows\smart_scan.exe
          Filesize

          684KB

          MD5

          0f43b9cf9bb42ecab1a8819cf9411a44

          SHA1

          b73a10c4dc23a3a73c049365d43f334b1ae4492a

          SHA256

          26b3b9896475b103c36fc8ee84e572ec5c63ce7afb036f9230c63c465aec8473

          SHA512

          6fd9b88e288bc9440af370f411484b9a109419a525a14a73315140ee3725b7a6f1902de2ec22719d35935ce41c3d6fc210b51370f10facb5dd1626fdd5bb0597

          Download Submit

        • C:\Windows\viaud.dll
          Filesize

          18KB

          MD5

          25bc58395157cd42319fbfff055bfa8a

          SHA1

          4abc9028fdf3330ff47c14542d0196cf801a9275

          SHA256

          26f6b0df01e37d72843e3230989bb73795b83625ffae5c0f185dbc2e9f81ec42

          SHA512

          296d88ed959eb2d107abeb9c3637016713ab508dea637b3d1f4a788bdc4707e5ada9ed22ede6a32bcd82a9bc1f828f9e324981b5614d2f8f375f8b4fb5f298a2

          Download Submit

        • \??\c:\windows\servicew.exe
          Filesize

          457KB

          MD5

          b4206c00b0fbb78c29a8d0eecd6648b7

          SHA1

          76f5ca420f2b7ab962d07a32356bbcc73c12e74b

          SHA256

          e17b542bb4cd32713c020a3721382b761d01e5424845341d20e28e11c6d72884

          SHA512

          8bcaa99e8685541ae68ebe5b5860ff6d4fce7fff57f0b23a0dd979482e2bd32374a50b63a906aa2ef133af7edb45f21235fd163e7ac733e318f5064024285649

          Download Submit

        • memory/1164-64-0x0000000003410000-0x0000000003487000-memory.dmp

          Filesize

          476KB

          Download

        • memory/1476-54-0x0000000074C11000-0x0000000074C13000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1480-63-0x0000000000630000-0x00000000006A7000-memory.dmp

          Filesize

          476KB

          Download